Backy

Privacy Policy

Last updated: June 4, 2026

This Privacy Policy explains how Backy ("Backy", "we", "us"), a Shopify app operated by ORPTECH Software, collects, uses, and protects information when a merchant installs and uses the app, and when shoppers interact with its back-in-stock and pre-order features.

1. Who we are

Backy is provided by ORPTECH Software (orptech.com). For privacy questions or data requests, contact [email protected].

2. Information we collect

• Store information: your .myshopify.com domain, an offline Shopify access token, and the API scopes you granted. The access token is encrypted at rest.
• Product & inventory data: via the Shopify API and webhooks (inventory_levels/update), limited to what is needed to detect restocks.
• Shopper waitlist data: when a shopper signs up to be notified, we store their email address, the product/variant requested, their locale, and the storefront domain they used. This is personal data we process on the merchant's behalf.
• Email provider credentials (BYO-ESP): if you connect your own email provider (Postmark, SendGrid, or Mailgun), we store those API credentials encrypted at rest. We never display them back in plaintext.
• Delivery logs: a record of each notification attempt (recipient, provider, status) for debugging and analytics.

We do not collect payment card data, and we do not sell personal data.

3. How we use information

• To send back-in-stock and pre-order notifications shoppers asked for.
• To show merchants demand analytics and waitlist management in the app.
• To send notifications through your own connected email provider — shopper emails and notification content are transmitted to the ESP you choose, under that provider's terms.
• To operate, secure, and improve the app.

4. Sub-processors

• Shopify — the platform the app runs on.
• Our hosting provider — runs the application, database, and queue.
• Your chosen email provider (Postmark / SendGrid / Mailgun) — receives the notification content and recipient address to deliver mail. We are not responsible for their independent processing; review their privacy terms.

5. Data retention & deletion

• We honour Shopify's mandatory privacy webhooks: customers/data_request (we surface the data we hold), customers/redact (we delete a shopper's data), and shop/redact (we erase all of a store's data ~48 hours after uninstall).
• When you uninstall the app, we mark the store inactive, remove the access token, and delete remaining store data on the shop/redact signal.

6. Your rights

Depending on your jurisdiction (e.g. GDPR, CCPA), you or your customers may have rights to access, correct, delete, or restrict processing of personal data. Merchants can trigger deletion through Shopify, or contact us directly at [email protected].

7. Security

Data is transmitted over TLS. Access tokens and ESP credentials are encrypted at rest. Access to merchant data is scoped per store. App requests are authenticated with Shopify session tokens and webhook/HMAC verification.

8. Changes

We may update this policy; material changes will be reflected by the "Last updated" date above.